Admin: link repair

2017-07-25T23:08:02Z

link repair

← Older revision		Revision as of 23:08, 25 July 2017
Line 359:		Line 359:

	==SECURE command enhancements==		==SECURE command enhancements==
	The variant of the <var>[[SECURE ~~FILE~~ command\|SECURE]]</var> command used to secure a file		The variant of the <var>[[SECURE command: File\|SECURE]]</var> command used to secure a file
	is extended to accept the qualifier <var>FILE</var> and the optional		is extended to accept the qualifier <var>FILE</var> and the optional keyword <var>SIRSAFE</var>:
	keyword <var>SIRSAFE</var>:

	====SECURE FILE syntax====		====SECURE FILE syntax====

JAL: /* Subsystem control commands */ link repair

2016-11-30T21:42:37Z

Subsystem control commands: link repair

← Older revision		Revision as of 21:42, 30 November 2016
Line 372:		Line 372:

	==Subsystem control commands==		==Subsystem control commands==
	For versions of Model 204 prior to 7.5, only sites authorized for [[SirSafe]] were allowed to set the <var>[[APSYSEC parameter\|APSYSEC]]</var> parameter. <var>APSYSEC</var> lets a system manager <var>[[START command: Starting an application subsystem\|START]]</var>, <var>[[STOP command: Stopping an application subsystem\|STOP]]</var>, <var>[[DEBUG command\|DEBUG]]</var>, or <var>[[TEST command\|TEST]]</var> any subsystem, without having to		For versions of Model 204 prior to 7.5, only sites authorized for SirSafe were allowed to set the <var>[[APSYSEC parameter\|APSYSEC]]</var> parameter. <var>APSYSEC</var> lets a system manager <var>[[START command: Starting an application subsystem\|START]]</var>, <var>[[STOP command: Stopping an application subsystem\|STOP]]</var>, <var>[[DEBUG command\|DEBUG]]</var>, or <var>[[TEST command\|TEST]]</var> any subsystem, without having to
	add the system manager to the [[SCLASS]] authorized to do these things.		add the system manager to the [[SCLASS]] authorized to do these things.

JAL: /* Usage notes */ link repair

2016-11-30T21:41:14Z

Usage notes: link repair

← Older revision		Revision as of 21:41, 30 November 2016
Line 146:		Line 146:
	<li><code>AUTHCTL TEST ON</code> produces six informational messages to the journal and <var class="product">Model 204</var> operator.		<li><code>AUTHCTL TEST ON</code> produces six informational messages to the journal and <var class="product">Model 204</var> operator.
	If the <var>MVSRO</var> feature is active, two messages are used to track the tests		If the <var>MVSRO</var> feature is active, two messages are used to track the tests
	performed to determine access to <var class="product">Model 204</var> database file data sets, as shown in [[SirSafe ~~monitoring~~ and debugging]].		performed to determine access to <var class="product">Model 204</var> database file data sets, as shown in [[SirSafe support for read-only files under MVS#Monitoring and debugging\|Monitoring and debugging]].
	The remaining four messages are for debugging access to file and group passwords. </li>		The remaining four messages are for debugging access to file and group passwords. </li>

JAL: add $Sir_Check_Access

2016-11-30T20:58:18Z

add $Sir_Check_Access

New page

<var class="product">SirSafe</var> is controlled by enhancements to the <var>AUTHCTL</var> command, and it provides its services through extensions to other <var class="product">Model 204</var> commands, including <var>LOGCTL</var>, <var>LOGFILE</var>, <var>LOGGRP</var>, and <var>SECURE</var>. <var class="product">SirSafe</var> also offers subsystem maintenance commands and a $function that provides an interface to an external authorizer.

All of these controls are described on this page.

==AUTHCTL==
The <var>AUTHCTL</var> command is used to activate <var class="product">SirSafe</var> for a <var class="product">Model 204</var> password table and to control various aspects of its function.
The basic <var>AUTHCTL</var> command is described in the Model 204
[[Security interfaces overview|Security interfaces]] pages.
This section describes only additions and extensions specific to <var class="product">SirSafe</var>.

===AUTHCTL A SIRSAFE===
The <code>AUTHCTL A SIRSAFE</code> command is used both to
activate <var class="product">SirSafe</var> for a <var class="product">Model 204</var> password table and to specify the
security environments that are allowed to access the password table.
This is accomplished by adding a <var class="product">SirSafe</var> security entry that is processed during <var class="product">Model 204</var> initialization.

====Syntax====
AUTHCTL A SIRSAFE { OPTIONAL | REQUIRED } [ MVSRW | MVSRO ] -
interface=mask [interface=mask] ... 

====Syntax terms====
<table>
<tr><th><var>OPTIONAL</var></th>
<td>Indicates that the current <var class="product">Model 204</var> password table will be accessible to any <var class="product">Model 204</var> Online, including those without <var class="product">SirSafe</var> support.
However, no visible file or group entries may be added to a password table when <var class="product">SirSafe</var> support is optional.
Note: If a <var class="product">SirSafe</var>-enabled <var class="product">Model 204</var> instance opens a password table that has been set as
optional, <var class="product">SirSafe</var> will activate only if the current security environment satisfies the conditions described by the <var class="product">SirSafe</var> security entry. </td></tr>

<tr><th><var>REQUIRED</var></th>
<td>Indicates that the current <var class="product">Model 204</var> password table will only be accessible to a <var class="product">Model 204</var> online that has:
<ul>
<li><var class="product">SirSafe</var> support
<li>A current security environment that matches one of those specified in the special <var class="product">SirSafe</var> entry </ul> This condition enables support for visible file and group entries.</td></tr>

<tr><th><var>MVSRW</var></th>
<td>Indicates that <var class="product">Model 204</var> will try to open all files in read/write mode and update their FPL pages, even if the file is being opened for read/only access.
If a file cannot be opened in read/write mode, it will not be opened. This is the standard <var class="product">Model 204</var> behavior, and it is the default.</td></tr>

<tr><th><var>MVSRO</var></th>
<td>Indicates that if <var class="product">Model 204</var> is not allowed to open a file in read/write mode, it will try to open it in read/only mode and so not update theFPL page of the file.
Whether or not <var class="product">Model 204</var> is allowed to open afile in read/write mode depends, of course, on the security profile of the user under which the<var class="product">Model 204</var> job is running.</td></tr>

<tr><th>interface</th>
<td>The name of a <var class="product">Model 204</var> external security interface: <var>RACF</var>, <var>ACF2</var>, or <var>TOPSECRET</var>.</td></tr>

<tr><th>mask</th>
<td>A character string that identifies an acceptable environment for the corresponding security interface, as described further, below. You can use a trailing asterisk (<tt>*</tt>) to identify a range of possible environments.</td></tr>
</table>

====Usage notes====
Multiple interface=mask pairs may be specified.
During initialization, a <var class="product">SirSafe</var>-enabled <var class="product">Model 204</var> scans the password
table for a <var class="product">SirSafe</var> security entry.
If one is found, its list of interface=mask pairs is checked.
If an entry matching the current security environment is found,
<var class="product">Model 204</var> enters the <var class="product">SirSafe</var>-active state.
Otherwise an M204.0340 or M204.0341 error message is produced.

The interpretation of interface and mask
combinations depends upon the particular interface:
<ul>
<li>For RACF, the mask value applies to the field identified
as the "RACF CONTROL GROUP NAME" on an <var>AUTHCTL VIEW</var>
command (see the example in [[#auctlvw|AUTHCTL VIEW]]). </li>

<li>For ACF2, the mask value applies to the field identified as the
"ACF2 RESOURCE TYPE" on an <var>AUTHCTL VIEW</var> command,
prefixed with the letter <code>R</code>. </li>

<li>For TOPSECRET, the mask value applies to the field identified as the
"ACID" on an <var>AUTHCTL VIEW</var> command. </li>
</ul>

Thus, the following command allows visible file and group passwords to be stored and requires that <var class="product">Model 204</var> be <var class="product">SirSafe</var>-enabled when it tries to use
the password table:
AUTHCTL A SIRSAFE REQUIRED RACF=M204* -
ACF2=R204 TOPSECRET=*


If RACF was being used, the RACF control group could be any
name starting with <code>M204</code>, which would include the default <var>M204RACF</var>.
If ACF2 was being used, the ACF2 resource type would need to be <code>204</code>, which is the default.
And any CA-Top Secret environment would be allowed.

===AUTHCTL C SIRSAFE===
The <var>AUTHCTL C SIRSAFE</var> command is used to
change the <var class="product">SirSafe</var> security entry for a <var class="product">Model 204</var> password table.
It accepts the same parameters as the <var>AUTHCTL A SIRSAFE</var> command.
It is especially useful for updating the security masks for a
password table that contains visible file or group entries.

The <var>AUTHCTL C SIRSAFE</var> command may not be
used to switch a password table to the <var class="product">SirSafe</var>-optional state
if the table contains any visible file or group entries.
An MSIR.0542 error message is produced, and the command is ignored.

===AUTHCTL D SIRSAFE===
The <var>AUTHCTL D SIRSAFE</var> command is used to
delete the <var class="product">SirSafe</var> security entry from a <var class="product">Model 204</var> password table, deactivating <var class="product">SirSafe</var>.

Any visible file and group entries must be deleted before <var class="product">SirSafe</var> can be deactivated.
If the current <var class="product">SirSafe</var> security entry includes the <var>REQUIRED</var>
attribute, and visible file or group password entries have been
added to the password table, an <code>AUTHCTL D</code> request will be rejected
with an MSIR.0542 error message.

===AUTHCTL LIST SIRSAFE===
The <var>AUTHCTL LIST SIRSAFE</var> command is used to
list the <var class="product">SirSafe</var> security entry, if any in the current <var class="product">Model 204</var> password table.
The output from this command is the <var>AUTHCTL A SIRSAFE</var>
command that could be used to recreate the <var class="product">SirSafe</var> security entry.
For example:
AUTHCTL LIST SIRSAFE
AUTHCTL A SIRSAFE REQUIRED MVSRO RACF=M204*


===AUTHCTL REFRESH===
The <var>AUTHCTL REFRESH</var> command causes <var class="product">Model 204</var> to manually rebuild
its list of systems for which enhanced shared DASD enqueueing is active, including whether the systems are visible or have become invisible.
This list is displayed by the <var>AUTHCTL VIEW</var> command, as described in
[[SirSafe enhanced shared DASD enqueueing#condasd|Controlling shared DASD enqueueing]].

====Syntax====
AUTHCTL REFRESH [CLEAR]

The <var>CLEAR</var> option directs <var class="product">Model 204</var> to remove from its list any systems that were once visible, but are now invisible.

====Usage notes====
If a <var class="product">Model 204</var> instance is started without a copy of <var class="product">SIRENQ</var> running, an <var>AUTHCTL REFRESH</var>
command is required to enable enhanced shared DASD enqueueing.

===AUTHCTL TEST===
The <var>AUTHCTL TEST</var> command is used to activate or
deactivate the logging of <var class="product">SirSafe</var> debugging and diagnostic information.
When the <var>AUTHCTL TEST</var> facility is active, informative messages are produced that
track the various calls SirSafe makes to the current security interface.
The <var class="product">[[SirScan]]</var> product may be used to examine the messages, or they may be retrieved with the <var class="product">Model 204</var> <var>[[VIEW command#VIEW ERRORS|VIEW ERRORS]]</var> command.

Note: If using <var>VIEW ERRORS</var>, remember that the most recent messages are listed first. 

====Syntax====
AUTHCTL TEST { ON | OFF } 

====Usage notes====
<ul>
<li><code>AUTHCTL TEST ON</code> produces six informational messages to the journal and <var class="product">Model 204</var> operator.
If the <var>MVSRO</var> feature is active, two messages are used to track the tests
performed to determine access to <var class="product">Model 204</var> database file data sets, as shown in [[SirSafe monitoring and debugging]].
The remaining four messages are for debugging access to file and group passwords. </li>

<li>If no security environment is active, <var class="product">SirSafe</var> produces an <code>MSIR.0552</code>
message, and access to file and group passwords is disallowed.
Otherwise, an <code>MSIR.0553</code> message is produced for each file or group
password table entry that matches a password provided by a user, indicating
that SirSafe is testing the current end user's access.
If the external security interface disallows the requested access,
an <code>MSIR.0554</code> message is produced.
If the requested access is allowed by the external security interface,
an <code>MSIR.0557</code> message is produced. </li>

<li>The <code>MSIR.0553</code> message identifies the user attempting the access, the
"dataset" name associated with the access, and the type of access required (read or write).
The user ID is identified in two ways: the <var class="product">Model 204</var> "internal ID," that is,
the ID that appears in messages on the journal, and the external security
interface view — including the user ID and group ID.
The <code>MSIR.0553</code> message is the only source of the external authorizer information, which is important for several reasons:
<ul>
<li>The access checks are performed using the external ID and group. </li>

<li>The access rights are frequently conferred from group, as opposed to the ID. </li>

<li>When <var class="product">Model 204</var> processes a login with an ID from CCASTAT, the external
user ID and group are defined by the <var class="product">Model 204</var> external security interface. </li>
</ul> </li>
</ul>

====Example====
In the following example, user <code>GARY</code> logs in with a CCASTAT ID,
then opens the semi-public file <code>PROCFILE</code> with the password <code>WRITE</code>.
The user does not get the expected access privileges, in fact the user gets the
default privileges for the file:
O PROCFILE
<nowiki>*** M204.0347: PASSWORD
*** M204.0620: FILE PROCFILE OPENED -- NO UPDATES ALLOWED </nowiki>
VIEW ERRORS
MSIR.0554: SirSafe disallowed password access
MSIR.0553: GARY (M204USR,M204GRP) read to
M204RACF.FILE.PROCFILE.INDEXA tried by
MSIR.0598: SirSafe: R/W access allowed
MSIR.0597: SirSafe: (GARY,SYS1) checking R/W to M204.GARY.PROCFILE on MVS204
V CURPRIV,PRIVDEF
CURPRIV X'0761' PRIVS FOR CURRENT FILE/GROUP
PRIVDEF X'0761' DEFAULT FILE PRIVILEGES

<var class="product">SirSafe</var> first performed MVS read-only access checking, using the profile for
the <var class="product">Model 204</var> job (user ID <code>GARY</code>, group <code>SYS1</code>),
and read/write access was allowed, so the file was not opened in read-only mode.
Then the password was matched to the CCASTAT entry for <code>PROCFILE</code> with
index character <code>A</code>, and access to that entry was denied.
Since this was the only password matched (only one MSIR.0553 message), the user was
given the default privileges for the file.

Note: Although the Model 204 internal user ID was <code>GARY</code>, the external profile
being used was user <code>M204USR</code>, group <code>M204GRP</code>.
This occurred because CCASTAT contained an entry for the ID <code>GARY</code>,
a common source of confusion.


===AUTHCTL VIEW===
The <var>AUTHCTL VIEW</var> command displays the status of
the current <var class="product">Model 204</var> external security interface, if any.
If an interface is active, the command displays its type and current execution parameters.
If SirSafe is installed, the <var>AUTHCTL VIEW</var> command also displays
the status of <var class="product">SirSafe</var>, as the following example shows:
AUTHCTL VIEW

RACF INTERFACE OPTIONS
GROUP M204RACF RACF CONTROL GROUP NAME
COMGROUP M204RAC1 RACF COMMON CONTROL GROUP NAME
PRIORITY STANDARD PRIORITY DEFAULT
M204GRP DEFAULT USER GROUP
M204USR DEFAULT USERID
DLMCHECK USE $JOB DLM CHECKING OPTION

<nowiki>*** MSIR.0551: SirSafe is active and required for current CCASTAT
*** MSIR.0599: SirSafe read-only file checking is active
*** MSIR.0687: SirSafe enhanced shared DASD not active, run SirEnq on ZOS4 (P390)
</nowiki>

For information about using <var>AUTHCTL VIEW</var>
for monitoring enhanced shared DASD enqueueing, see [[SirSafe enhanced shared DASD enqueueing#condasd|Controlling shared DASD enqueueing]].

==LOGCTL enhancements for visible file/group entries==
<var class="product">SirSafe</var> provides support for visible file and
group passwords when it is operated in the <var>REQUIRED</var> mode.
Visible file and group entries are easier to administer because
all of the data is visible while it is being entered, and
because the password value is displayed by a <var>LOGFILE</var>
or <var>LOGGRP</var> command.

<var>LOGCTL</var> recognizes standard file entries because the file name is
prefixed by a colon (<tt>:</tt>), and group entries because the name is
prefixed by a comma (<tt>,</tt>).
<var class="product">SirSafe</var> extends the <var>LOGCTL A</var>, <var>LOGCTL C</var>, and <var>LOGCTL D</var> commands to support visible file and group entries.
Visible file entries are indicated by prefixing the file name with a greater-than sign (<tt>></tt>).
Visible group entries are indicated by prefixing the group name with a plus sign (<tt>+</tt>).

Whenever a <var>LOGCTL A</var> or <var>LOGCTL C</var> command is issued for a
visible file or group entry, the subsequent line of input is not masked, remaining visible on the System Manager's screen.
The following example illustrates how to add a visible file password entry:
logctl a >procfile a
M204.0374: ENTER FILE/GROUP PASSWORD,PRIVILEGES,CLASS,SELECT,READ,UPDATE,ADD
theman,X'bfff'
M204.0379: ENTER TERMINAL LIST, ALL, NONE, ADD, DEL, OR RETURN

<nowiki>>PROCFILE A THEMAN X'BFFF' 0, 0, 0, 0, 0, ALL
M204.0376: PARAMETERS ACCEPTED
M204.0345: CCASTAT UPDATED
</nowiki>
Note that the password and privileges are visible while typing, and they are echoed to the screen.
Also, when the completed entry is listed, the password is displayed.
Contrast this to the case for adding a conventional file password:
logctl a :procfile b
M204.0374: ENTER FILE/GROUP PASSWORD,PRIVILEGES,CLASS,SELECT,READ,UPDATE,ADD
M204.0379: ENTER TERMINAL LIST, ALL, NONE, ADD, DEL, OR RETURN

<nowiki>:PROCFILE B ******** X'00FF' 0, 0, 0, 0, 0, ALL
M204.0376: PARAMETERS ACCEPTED
M204.0345: CCASTAT UPDATED
</nowiki>
In the conventional case, the password and privilege line does not
echo while typing, and the password is not displayed when the entry is
listed.

== LOGCTL R==
The <var>LOGCTL R</var> command is a <var class="product">SirSafe</var> implemented subcommand for the <var>LOGCTL</var> command.
<var>LOGCTL R</var> is used to Replicate (copy) a file or group entry in the password table.

====Syntax====
LOGCTL R {:filename | >filename | ,grpname | +grpname} [indx]


Where:
<table>
<tr><th><var>:</var>filename</th>
<td>Indicates a classic, invisible password entry for the named file.</td></tr>

<tr><th>>filename</th>
<td>Indicates a visible password entry for the named file.</td></tr>

<tr><th><var>,</var>grpname</th>
<td>Indicates a classic, invisible password entry for the named group.</td></tr>

<tr><th><var>+</var>grpname</th>
<td>Indicates a visible password entry for the named group.</td></tr>

<tr><th>indx</th>
<td>A single index character used to distinguish between multiple entries for a file or group; it defaults to a single space.</td></tr>
</table>

====Usage notes====
<ul>
<li>If the identified entry is found in the <var class="product">Model 204</var> password table,
the user is prompted for an index character that will identify a new copy of the entry.
Note: The sequence of a <code>LOGCTL R</code> followed by
a <code>LOGCTL D</code> may be used to move a file or group
entry in the <var class="product">Model 204</var> password table.
 </li>

<li>For a simple example of <var>LOGCTL R</var>, see [[SirSafe control of access to passwords#mvcstat|Moving file/group CCASTAT entries]]. </li>
</ul>

==LOGFILE and LOGGRP enhancements==
<var class="product">SirSafe</var> enhances the <var>[[LOGFILE command|LOGFILE]]</var> and
<var>[[LOGGRP command|LOGGRP]]</var> commands to facilitate the management of
file and group password table entries.
These changes are active whenever <var class="product">SirSafe</var> is enabled,
whether the <var class="product">SirSafe</var> mode is required or optional.

===Viewing visible entries in sorted display===
Even though visible file and group entries begin with a different character (<tt>></tt>)
than their standard counterparts, the file and group sections of the CCASTAT
file are sorted in order of file or group name and index character.
logfile procfile
<nowiki>>PROCFILE A THEMAN X'BFFF' 0, 0, 0, 0, 0, ALL
:PROCFILE B ******** X'0761' 0, 0, 0, 0, 0, ALL
>PROCFILE 4 THEMAN X'0221' 0, 0, 0, 0, 0, ALL
</nowiki>
Note that for visible entries, the value of the password is displayed in
clear text, while standard entries are flagged with a field of eight asterisks.

===Selecting entries by password===
The syntax for <var>LOGFILE</var> and <var>LOGGRP</var> is extended to include a <var>PWDLOCATE</var> option.
If the keyword <var>PWDLOCATE</var> is present, the end user is prompted for a password value.
That value is used to filter the list of entries that would have been produced without the <var>PWDLOCATE</var> option, and the entries with matching password values is displayed.

====LOGFILE PWDLOCATE syntax====
LOGFILE [PWDLOCATE] [ [filename1] [filename2] ]

If just one filename is provided, the command lists just the entries for that file.
Otherwise, the command lists all the entries that are between the two values, inclusive.

====LOGGRP PWDLOCATE syntax====
LOGGRP [PWDLOCATE] [ [groupname1] [groupname2] ]

If just one group name is provided, the command lists just the entries for that group.
Otherwise, the command lists all the entries that are between the two values, inclusive.

====Example====
The following example assumes that the user entered <code>theman</code> in response
to the password prompt:
logfile pwdlocate
<nowiki>*** M204.0347: PASSWORD
>PROCFILE A THEMAN X'BFFF' 0, 0, 0, 0, 0, ALL
>PROCFILE 4 THEMAN X'BFFF' 0, 0, 0, 0, 0, ALL
</nowiki>

For an additional example using <var>PWDLOCATE</var>, see [[SirSafe control of access to passwords#idccsta|Identifying file/group CCASTAT entries]]

==SECURE command enhancements==
The variant of the <var>[[SECURE FILE command|SECURE]]</var> command used to secure a file
is extended to accept the qualifier <var>FILE</var> and the optional
keyword <var>SIRSAFE</var>:

====SECURE FILE syntax====
SECURE [[FILE] SIRSAFE]

If the keyword <var>SIRSAFE</var> is present, the current file
is set in a mode such that it can only be open when <var class="product">SirSafe</var> is active.

For additional comments about this feature, see [[SirSafe control of access to passwords#secure|Enhanced SECURE command]].

==Subsystem control commands==
For versions of Model 204 prior to 7.5, only sites authorized for [[SirSafe]] were allowed to set the <var>[[APSYSEC parameter|APSYSEC]]</var> parameter. <var>APSYSEC</var> lets a system manager <var>[[START command: Starting an application subsystem|START]]</var>, <var>[[STOP command: Stopping an application subsystem|STOP]]</var>, <var>[[DEBUG command|DEBUG]]</var>, or <var>[[TEST command|TEST]]</var> any subsystem, without having to
add the system manager to the [[SCLASS]] authorized to do these things.

For sites with Model 204 7.5 and higher, no SirSafe authorization is required for <var>APSYSEC</var>.

==$Sir_Check_Access==
{{Template:$Sir Check Access}}

==See also==
{{Template:SirSafe topic list}}

[[Category:SirSafe]]

SirSafe command and function reference - Revision history

Admin: link repair

JAL: /* Subsystem control commands */ link repair

JAL: /* Usage notes */ link repair

Admin: 1 revision: SirSafe pages

JAL: add $Sir_Check_Access

← Older revision	Revision as of 21:32, 30 November 2016
(No difference)